How To Configure iptables Firewall In Linux
Iptables is a great firewall included in the netfilter framework of Linux. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.
Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools available to assist: e.g., fwbuilder, bastille, and ufw.
First Concepts:Packet: a logical container representing the flow of data
Protocol: a language and set of rules that network devices operate by
Port: a numerical designation representing a particular protocol
Iptables rules:
- MANGLE
- Rules to modify the packets
- NAT (Network Address Translation)
- PREROUTING
- POSTROUTING
- FILTER
- INPUT
- OUTPUT
- FORWARD
The iptables rules manage the packets of a specific protocol, for example, if you want to deny an internet connection iptables can do it.
Iptables Configuration
See what rules are already configured.
# iptables -L
This allows anyone accesses to anything from anywhere. Delete the rules of iptables # iptables -F
Policies
a. ACCEPT Allow the traffic
b. DROP Deny the traffic
For example: if the default policies of INPUT are DROP, the firewall denies all the internet traffic.
If you want to change the policies you can do it with the following command:
iptables -P CHAIN POLITICS
Protecting your system: Rules
Setting the INPUT to DROP
Allowing the packets from your LAN (first, you must know the local IP address using the ‘ifconfig’ command).
# iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT
Allowing the internet traffic
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allowing all outbound traffic
# iptables -A OUTPUT -j ACCEPT
Allowing HTTP and HTTPS connections from anywhere (the normal ports for websites
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allowing SSH connections. The –dport number is the same as in /etc/ssh/sshd_confi
# iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Blocking an ip address with iptables
The Politics for INPUT must be DROP
Add a new rule to drop the traffic for the correspondent ip address (archlinux.org ip)
# iptables -A INPUT -s 66.211.214.131 -j DROP
Add a new rule to allow the rest of the internet traffic (All the rules to drop traffic must be created before this rule
# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Common iptables options:
-A | Append, this option is to add a new rule |
-I | Insert a new rule |
-D | Delete a rule |
-R | Change the position of a rule |
-L | List the rules |
-L –line-numbers | Show the position number of each rule |
-F | Delete all the rules |
-F CHAIN | Delete the rules of an specific chain |
-N CHAIN_NAME | Create a new chain |
-X CHAIN | Delete a chain |
-P | Change a politics |
iptables -A CHAIN -s | Specify a source (ip address) |
iptables -A CHAIN -p | Specify the protocol |
iptables -A CHAIN -p tcp –dport | Specify the port |
iptables -A CHAIN … -j | Determine a politics for a specific rule |
Iptables has a lot of possibilities, but this is a basic tutorial if you want to know more information about iptables you can follow these links:http://netfilter.org/documentation/
https://wiki.debian.org/iptables
https://wiki.archlinux.org/index.php/Iptables
http://www.faqs.org/docs/linux_network/x-087-2-firewall.future.html